quasar | hxxps://gofile[.]io/d/s3eN8d

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/s3eN8d

Score

10^/10

quasar defense_evasion discovery spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
960	Client-built.exe
856	BuffXresolver.exe
3680	Client-built.exe
2496	Client-built.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\BuffXresolver.exe	Client-built.exe
File created	C:\Program Files\BuffXresolver.exe\:Zone.Identifier:$DATA	Client-built.exe
File created	C:\Program Files\BuffXresolver.exe	Client-built.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810858364941079"	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	chrome.exe
File created	C:\Program Files\BuffXresolver.exe\:Zone.Identifier:$DATA	Client-built.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
900	chrome.exe
900	chrome.exe
900	chrome.exe
900	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeDebugPrivilege	960	Client-built.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeDebugPrivilege	856	BuffXresolver.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe
Token: SeShutdownPrivilege	1812	chrome.exe
Token: SeCreatePagefilePrivilege	1812	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe
1812	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	BuffXresolver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2816	1812	chrome.exe	77
PID 1812 wrote to memory of 2816	1812	chrome.exe	77
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 3788	1812	chrome.exe	78
PID 1812 wrote to memory of 236	1812	chrome.exe	79
PID 1812 wrote to memory of 236	1812	chrome.exe	79
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80
PID 1812 wrote to memory of 4896	1812	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/s3eN8d
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e3d9cc40,0x7ff9e3d9cc4c,0x7ff9e3d9cc58
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3080,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3356,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4560,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4440,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5036,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5332,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4924
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- - C:\Program Files\BuffXresolver.exe
    "C:\Program Files\BuffXresolver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5320,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3132,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:4304
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Users\Admin\Downloads\Client-built.exe
  "C:\Users\Admin\Downloads\Client-built.exe"
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5268,i,11788252417470123882,15939583473688940507,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\253ebc61-7f9e-4c71-a451-7d5580ec3c12.tmp

Filesize
228KB

MD5
cd41efe009902a690d98f0db6102c694

SHA1
30ad03bf9caf4727b8928be09c9993e5ba478ea3

SHA256
41f10c5f62f3334287831b5ceec445ee59fe910548f5828fa5cf3549a19f669d

SHA512
612ae3eb506f57357fa957a9c2d4a0473969727a3baf5a92883494f8b9c9e9dbe7c9af8c61d51a192088037b9f43564673c6ad139cb98755db4d175028d72aa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e8370724f376146b23a7d3f3d452a792

SHA1
e2624281f1c1191c307c81b40af42c2be235bdba

SHA256
899dc230d2a7d375558246110d74234155da336feae264b0d0b81ab3c0a3ed16

SHA512
02ad1df3b5589c87042121841d87f25dcc52ef10185c6c35105e8f2fa1ab032030675ab2a66e7fcb8b1006d4b51ab03fc30e28f6d1c19d62ee66e28341325417

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
9cdee9f1b8fab90e9ccbf541609d5c1f

SHA1
35a16bcc052faf112139cf78f10c799a84aa03e0

SHA256
cf0cd9b669499e0b1e0bd2f21abbcbe6212fb3569d6b33e52404809c2f7cf3bd

SHA512
334861e07b5533656d8a84fc1e307fff71e015936080472e068255f6d852aa11c066a11f8167a455f04ee63c15ded5f8aff0a54454ef7601ee2551a22f611f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d440557b4880c8c2de133e3470b6381c

SHA1
3e15fde358a28f171d00022a9ecd42483c806121

SHA256
559c0f6a1785fb6742065e68a3d67a3820ace6c2a4b0651b81f3891443f7fcef

SHA512
4811edbe05749648571bca5445216362944474ded7bdc1cdb13a03cd9b7b20bc2abe164a46b158f5157df23581c87b32974c3af96b73471986fec4373cc708b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
28580f0b15b26f2a4d55651029d4b80c

SHA1
bf6a14c866b6909d84675bdbf01e122c8789f2cf

SHA256
64add63c85461217b3ef576c2bbeca2c1d0ec7f6f4dc8963068263ad0c6e7671

SHA512
65ee179030583aeea86e11e4973449a8c6e3bd97483bba00cf7778d283a8fb050005a442cbd11536b8526534c1ddd87b46379c3d3e9d0ade730f405a2043ac1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba3d49c54dad28ee43a8f802d410f831

SHA1
013b2971f0226a31242e5412fcd4dd483313b3fa

SHA256
6ee165babef4e03a4eb97973b34794704937959a360b090554ecd4830f9671bf

SHA512
5c08994c623fb563cbc5e68b87a0505a1e64c88edabe1adacbb03c4a5a608c5c5c8a58161dc4e18714f2ef305db4a30a1b13ba9a51833c9a2a21ebf511bbc269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85537616bd081bf5a137d48ce158c797

SHA1
d188071f2c7ed99e072e6c32bc9a1c0c2646e62e

SHA256
b4e7965b263cc5f4ae11c7470c87a996ec9f8bd9c148e2e132d4663290d2bc11

SHA512
3784732158248b516720d7531454bfa9ffa01678c2479df499e28a80c80a34f80ea1e9b17305cdc56a05a0c8b1e19a06879e6515b387347a1577baefef577772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0cd8827f8d4a1c735a0311903bbc493c

SHA1
27c9dfa7957e314b7695c8e408f71a7fb2dcb9a4

SHA256
1291727baaa003b1d952beeb4f84afedc5b8d5038f588086d88c3b104d653bdb

SHA512
de27983c8c8bfba06d65a8262fdff22bcffe9671319077e2b93f85438894da43bcab684c37f6d4693fb465bcebf9c131adb34333549c5c810f873aecb8aa6c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc2f3e8d622945841ce3241e9d35106f

SHA1
4303a55656be4ec4cd770f197b6ee130123234b3

SHA256
ddbcef80482f8046cc51f9d1f6283d45fe2025c2e74b3f97c01f0ed1d5cffa61

SHA512
745ca4027241eea4d6faf2760f09a77095e2bf38c7f13fd19404316be052c240d56ffa8061b5f44f4e9f6da4c25d5927b66b50713e9173d0e9901429e7f4dbf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c10b0832f70a347bd2ae8404199a841

SHA1
76de8321e8e41f75ebdbe145064e41158b673ee9

SHA256
eed3b8940771c85ed36413c55466677768f69503262af11ed0ff329e14857790

SHA512
0d4d290b60d2144137780e0d30c508e9f56a876523014a3f00d56e4b2327f2a9fa55e96c4d53a3a4f05e4e292f08da6670d76b1080d698a5df9c88079bec01ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0662877d64eedbd57e78367e7fc82e1a

SHA1
de15393feaad80b7be67a3c07ce6b4a371f7b3e6

SHA256
1017dd3762ba43cc0067dacc5f1f2e5c9a850c6e4dfb64e71a0b7b7ad2b3a5ec

SHA512
c90c315499fca9da3d3ea8dad61d119a470f30b224f70658cee99c60605256b695b5a26397b655834359835c2b6c1af66c4d432236a5c6f0ec7e038a17786c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55d43ad6d0286080d20bb127d409bf80

SHA1
638353815fe82d999352595abbc14c356fbd07a8

SHA256
bd5a83e998cd7a90cb2e77b2bb759a41952e51da3bacdeedecfff6557af107a6

SHA512
12e4db842860ab893347468b2cef3b71518a899e072d5ba525fae7fc09031e0aca262a65fbb2d219ebc432b8cbc8ea27ba14050ca6fd14813cf87fec51aa3552

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8408c9cd8dfae48383a052900c08ca5b

SHA1
adfc5a67f0d60cfdd634531965ba660a71cc0817

SHA256
d3f1491cbd11fc80953ef37edbe8a0788318b6982676cb1009117d8aa136e76b

SHA512
66fb2cad83897fee0b3df75e185eb1b59bf75a99a22823e751e920974c39020cdffc972d25c128cacd0ae4bb035151f5f4baffdf18ace1b998a31ed780eef90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df81f2b198690d729550c008ecfe501a

SHA1
d034ebcf8949de63723213de0b6acfbad0c78bc5

SHA256
579ca3d3b52162870e94bacc005bec947690a720afcf75ae0abf439ee51725fc

SHA512
19ac49316b1011cd9463f28cce162ea4dae6f01c2e561fe45acc04004ff64348b449fc9ab1837f708991c8d892dab7becf8158a47e374357768cb1a0ba3f5750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ea2f96d6162f01cada2e23f3d316940f

SHA1
68ce301440811f3b00b335a73309c2249d1bdd3e

SHA256
56fdac0969837d702fb810946422c13c45e4b91adba59e67eab973985dd67c89

SHA512
af373d0a3c473c9fd37c41115c41343eac0a83134d72bd589747153b7183391e764f7f42991463bbcba328c8a8c89b6f5a0458d658b3ee066d678fb2a80c6967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
09ee9b1c515d17646b6ac5545627111e

SHA1
ffe7209203b7bd10d40add991ace28b9edb10bca

SHA256
afb3912754e870340d6bca419f83a6d3993387f0eddac0b9aaed01e127a9c2af

SHA512
2993689488174a0948967eecb8fa3a0414bb08c8cad7b027d1fa3f44d06a1ce679e1753f9b3f736a9e41f602a2cf1fc8bae66fb2141d377bb43ccb30b2988c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Client-built.exe.log

Filesize
584B

MD5
213c6278c834a3081b9703ec59d3d532

SHA1
4b31b46df4249f77d95225d4ea3c890dedb18224

SHA256
3f98d1f0dd0b471c9b61f0a311a823afac3154d20d5ddd2c14248cc4f75b9d45

SHA512
d677433e741caf48a214631022f0d8d44c37675e8722ffb4575c2e4c949ace2c2c5318202d303324c68c07554a766e5432dc3dd0549c74cbbc1ffee05dc117a0

Download Submit
C:\Users\Admin\Downloads\Client-built.exe

Filesize
505KB

MD5
2ccdccf6c147006da0230d8fdaea2f84

SHA1
ccdf21a6ceae06747523d3edf9684688fea0d504

SHA256
e40833934923e8135542bd32f4154e88baf072f811ae9363b0be3245569467e8

SHA512
39b81e5eada84f5a8bac52059f0f666100d405c9cd6c840da6c21925c67c10b2c3dbf8d2a40c7cc5a802e4060a10fca34dc32a8d096af79c739544dc7ab5cbbc

Download Submit
C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier

Filesize
159B

MD5
1072e346968b8f895374d6859ec99f77

SHA1
219d4feca025d25c14c06f72bb4c6bc745ea6555

SHA256
1c2154f245d582765287e74f3aa07b1eaed19c02c5bcff2e42b60761862d6ab4

SHA512
34b1d85b3dfa62a39f0d8cf8486624a627dca309dde9cf59c933f9cb2f3436901047819b2603be9deb91262713b38e3400576382b6fa79570ba46e989841c40f

Download Submit
memory/856-124-0x000000001C690000-0x000000001C698000-memory.dmp

Filesize
32KB

Download
memory/856-125-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/856-107-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/960-75-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/960-108-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/960-85-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/960-84-0x000000001C950000-0x000000001C9B2000-memory.dmp

Filesize
392KB

Download
memory/960-78-0x00007FF9CF380000-0x00007FF9CFD21000-memory.dmp

Filesize
9.6MB

Download
memory/960-77-0x000000001C870000-0x000000001C90C000-memory.dmp

Filesize
624KB

Download
memory/960-76-0x000000001C300000-0x000000001C7CE000-memory.dmp

Filesize
4.8MB

Download
memory/960-74-0x00007FF9CF635000-0x00007FF9CF636000-memory.dmp

Filesize
4KB

Download